Analysis
-
max time kernel
135s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 19:31
Behavioral task
behavioral1
Sample
108cc3624031e68f0327337b381880a0_NEIKI.exe
Resource
win7-20240221-en
General
-
Target
108cc3624031e68f0327337b381880a0_NEIKI.exe
-
Size
1.1MB
-
MD5
108cc3624031e68f0327337b381880a0
-
SHA1
a746bdc69197b4790070a4d8e05ea70bcc939f2b
-
SHA256
f1f4d7d354a4e7a54c37826d19e02357e33031865fe195e827ad20a87778a7b5
-
SHA512
0c6e9ec80dc13322cf05ec6a2ff8da129eef9107283ea2e4a7703fa3be43eebc7ef46bc32735ca58c2543a38aef96bbc001f822cb76c92281148a838325c8cfc
-
SSDEEP
24576:zQ5aILMCfmAUjzX6xQGCZLFdGm1StE10/ZcnDPD2:E5aIwC+Agr6S/FFC+Lq
Malware Config
Signatures
-
KPOT Core Executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\WinSocket\109cc3724031e79f0328338b391990a0_NFJLJ.exe family_kpot -
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/4316-15-0x00000000028C0000-0x00000000028E9000-memory.dmp trickbot_loader32 -
Executes dropped EXE 3 IoCs
Processes:
109cc3724031e79f0328338b391990a0_NFJLJ.exe109cc3724031e79f0328338b391990a0_NFJLJ.exe109cc3724031e79f0328338b391990a0_NFJLJ.exepid process 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
109cc3724031e79f0328338b391990a0_NFJLJ.exe109cc3724031e79f0328338b391990a0_NFJLJ.exedescription pid process Token: SeTcbPrivilege 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe Token: SeTcbPrivilege 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
108cc3624031e68f0327337b381880a0_NEIKI.exe109cc3724031e79f0328338b391990a0_NFJLJ.exe109cc3724031e79f0328338b391990a0_NFJLJ.exe109cc3724031e79f0328338b391990a0_NFJLJ.exepid process 4316 108cc3624031e68f0327337b381880a0_NEIKI.exe 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
108cc3624031e68f0327337b381880a0_NEIKI.exe109cc3724031e79f0328338b391990a0_NFJLJ.exe109cc3724031e79f0328338b391990a0_NFJLJ.exe109cc3724031e79f0328338b391990a0_NFJLJ.exedescription pid process target process PID 4316 wrote to memory of 852 4316 108cc3624031e68f0327337b381880a0_NEIKI.exe 109cc3724031e79f0328338b391990a0_NFJLJ.exe PID 4316 wrote to memory of 852 4316 108cc3624031e68f0327337b381880a0_NEIKI.exe 109cc3724031e79f0328338b391990a0_NFJLJ.exe PID 4316 wrote to memory of 852 4316 108cc3624031e68f0327337b381880a0_NEIKI.exe 109cc3724031e79f0328338b391990a0_NFJLJ.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 852 wrote to memory of 4252 852 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 532 wrote to memory of 3840 532 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 4992 wrote to memory of 3444 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 4992 wrote to memory of 3444 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 4992 wrote to memory of 3444 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 4992 wrote to memory of 3444 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 4992 wrote to memory of 3444 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 4992 wrote to memory of 3444 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 4992 wrote to memory of 3444 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 4992 wrote to memory of 3444 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe PID 4992 wrote to memory of 3444 4992 109cc3724031e79f0328338b391990a0_NFJLJ.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\108cc3624031e68f0327337b381880a0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\108cc3624031e68f0327337b381880a0_NEIKI.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Roaming\WinSocket\109cc3724031e79f0328338b391990a0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\109cc3724031e79f0328338b391990a0_NFJLJ.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4252
-
C:\Users\Admin\AppData\Roaming\WinSocket\109cc3724031e79f0328338b391990a0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\109cc3724031e79f0328338b391990a0_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3840
-
C:\Users\Admin\AppData\Roaming\WinSocket\109cc3724031e79f0328338b391990a0_NFJLJ.exeC:\Users\Admin\AppData\Roaming\WinSocket\109cc3724031e79f0328338b391990a0_NFJLJ.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5108cc3624031e68f0327337b381880a0
SHA1a746bdc69197b4790070a4d8e05ea70bcc939f2b
SHA256f1f4d7d354a4e7a54c37826d19e02357e33031865fe195e827ad20a87778a7b5
SHA5120c6e9ec80dc13322cf05ec6a2ff8da129eef9107283ea2e4a7703fa3be43eebc7ef46bc32735ca58c2543a38aef96bbc001f822cb76c92281148a838325c8cfc
-
Filesize
65KB
MD54c0f5deb706fac4c22d92acf7b8f67d4
SHA1aa2d95fc96cce9bd8b6cdbdc712ae8a7a0ae0f26
SHA25623975d4acfd4b61211ea324ab39f46e38d2ed26529bb26b5a9622c5e658be33f
SHA5127a25b8e065543e260068426a8569a3bf2222be1e2bf30f9357cb0ce95d1742146bb061316c26106f6d1e3a39ebc6378f3cf1da9e37c10203c4eb546092bd5788